Don't forget your Kerberos - Security Support Provider Interface (SSPI) authentication failed

CRM dynamics crm web services kerberos active directory soap https

I had a colleague reach out to me today because they were facing an issue calling Dynamics CRM 2015 web services over HTTPS. The calls worked over HTTP, but not HTTPS. He sent me the details of the exception he was getting, as seen below.

SOAP security negotiation with https://d....2/A....EV/XRMServices/2011/Organization.svc for target https://dcb.../A...EV/XRMServices/2011/Organization.svc failed. See inner exception for more details.

Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'host/servername'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

The resolution was to run the setspn command to create the SPN for HTTPS. The CRM Admin in his environment had only configured Kerberos for the http endpoint, neglecting the https endpoint. Once they did this, all was fixed. I like a happy ending... but that's another story.

If you refer to this section of MSDN you'll see the setspn command, but out of context it doesn't explicitly state to do it for https also.